A computer system includes a management computer for automatically changing a password used to authenticate a user to a service application. A user device includes a password vault managed by a password management application. The management computer monitors for an event signifying that the password is to be changed, e.g., a predetermined number of uses, etc. A new password is assigned, and a first message is generated and sent to the service application including the new password and an indication that it is to be used for subsequent user authentication. A second message is also generated and sent to the password management application, also including the new password and an indication that it replaces a current password in the vault for user authentication. The new password is automatically used by both the service application and the user device during subsequent authentications until expiration.
|
1. A method of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer, the service computer system including a service application server and an active directory server, the user having a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device, the method comprising:
monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and
in response to occurrence of the event:
assigning a new password;
generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, the first message being sent via a first interface of the management computer, the first interface coupling the management computer to a first network and the service computer system, the first message being sent to the active directory server to update a user authentication record used by the active directory server in authenticating the user to the service application; and
generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application, the second message being sent via a second interface of the management computer, the second interface coupling the management computer to a second network and the user device used by the user,
wherein generating the second message and sending it to the password management application includes communicating with the user device using a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in the authenticating of the user thereto.
16. A computer system, comprising:
a service computer system executing a service application;
a computerized user device including a vault in which active passwords are stored, the passwords including a password used by a user to authenticate to the service application, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device; and
a management computer used to automatically change the password used by the user to authenticate to the service application, the management computer being configured and operative to monitor for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and in response to occurrence of the event (1) assign a new password, (2) generate a first message and send it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application, and (3) generate a second message and send it to the password management application using a vault application programming interface (API), the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application,
the password management application being configured and operative, in response to communications from the management server using the vault API, to (i) enable the management server to manage contents of the password vault and operation of the password management application, and (ii) in response to the second message using the vault API, to store the new password in the vault in association with an identification of the service application for subsequent use by the user device in authenticating the user to the service application,
wherein the management computer includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface,
and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.
8. A management computer, comprising:
one or more processors;
memory coupled to the processors by a high-speed data bus; and
input/output interface circuitry coupled to the memory and the processors by the high-speed data bus, the input/output interface circuitry coupling the management computer to a service computer system and a computerized user device used by a user, the user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device,
the memory storing instructions which, when executed by the processors, cause the management computer to operate to automatically change a password used by the user to authenticate to a service application executing in the service computer system, by:
(1) monitoring for occurrence of an event signifying that the password is to be changed, the event being a single use of the password for authenticating the user to the service application, and
(2) in response to occurrence of the event:
(a) assigning a new password;
(b) generating a first message and sending it to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application; and
(c) generating a second message and sending it to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application,
wherein the instructions, when executed by the processors to cause the management computer to generate the second message and send it to the password management application, cause the management computer to communicate with either the user device or password management server via a vault application programming interface (API) that (i) enables external management of contents of the password vault and of the operation of the password management application, and (ii) causes the new password to be stored in the vault in association with an identification of the service application for use in authenticating the user thereto,
wherein the input/output interface circuitry includes a first interface to a first network for coupling the management computer to the service computer system, and includes a second interface to a second network for coupling the management computer to the computerized user device used by the user, and wherein (i) the first message is sent to the service computer system via the first interface, and (ii) the second message is sent to the password management application via the second interface,
and wherein the service computer system includes a service application server and an active directory server, and the first message is sent to the active directory server to update a user authentication record used by the active directory server in the authenticating of the user to the service application.
2. The method of
3. The method of
4. The method of
5. The method of
6. The method of
7. The method of
9. The management computer of
10. The management computer of
11. The management computer of
12. The management computer of
13. The management computer of
14. The management computer of
15. The management computer of
the computerized user device is one of a plurality of computerized user devices used by respective users, each user device including a respective vault managed by a respective password management application executing either on the respective user device or on the password management server, and the input/output interface circuitry couples the management computer to the plurality of computerized user devices; and
the instructions are executed by the processors to cause the management computer to operate to automatically change respective passwords used by respective users by performing steps (1) and (2) for each password change, including:
at step (2)(a), assigning a respective new password for the respective user;
at step (2)(b), generating a respective first message including the respective new password and including an indication that the service application is to begin using the respective new password to authenticate the respective user to the service application; and
at step (2)(c), generating a respective second message and sending it to the respective password management application, the respective second message including the respective new password and an indication that the respective new password is to replace a respective current password in the vault of the respective user device for use in authenticating the respective user to the service application.
17. The computer system of
18. The computer system of
|
Organizations or enterprises are including legacy computer systems that use traditional password-based user authentication, i.e., authentication based on username/password pair. Some systems or applications may employ Active Directory authentication pairs, while others may require their own credentials. In larger organizations there may be several such legacy applications that a user may use, every one requiring a respective password.
One approach to password management in such circumstances is for each user to manage his own passwords for both in-enterprise and third-party applications. Because of the difficulty of remembering a number of complex or arbitrary passwords, there is tendency for the passwords to be weak. They might be easily guessed. Even stronger passwords are not safe, as they can be phished or extracted by malware that has infected a computer system. If the passwords are not changed often enough, then there is opportunity for a system to be accessed improperly using a stolen or guessed password.
There are known systems that can provide stronger user authentication with less risk of password compromise or damage resulting from any compromise. One system employs so-called “one-time passwords” or OTPs. Users are given hardware or software “tokens” that execute a secure algorithm for generating random passwords, and these are synchronized to counterpart server-executed algorithms. Whenever a user authenticates to a system or application, the token is used to generate a new OTP, which is compared with an OTP generated within the system. A match indicates user possession of the assigned token, leading to authentication of the user. Another type of system employs so-called “federation”, in which a collection of servers are integrated with a centralized authentication server that handles user authentication and issues briefly lived passcodes or tickets that are accepted by the servers as evidence of user authentication. Both types of system require some type of integration of the specialized authentication methods/facilities into the service computer or application, and thus are not universally utilized. Even in an enterprise that uses such a system, there may be legacy systems or applications that are not integrated into the system and thus pose a security vulnerability due to their reliance on user-managed passwords.
The present disclosure is directed to methods and apparatus for improved security in systems and applications that employ conventional password-based authentication, especially such systems or applications that have conventionally relied upon users managing their own passwords. Disclosed techniques provide for use of stronger passwords and more frequent changing of passwords, without requiring integration of an application with a specialized system such as an OTP system or federation, and without burdening the user to remember a large number of complex and short-lived passwords.
The disclosed methods and apparatus employ a password vault which may be of the type generally known in the art, e.g., password managers such as LastPass or Roboform that are installed on user devices. In contrast to the conventional use of such password managers, i.e., with the user controlling the timing of new password generation etc., in the present application an enterprise management computer such as an identity management system works through the password manager to implement an organization password policy. The management computer pushes new passwords both to a target service application, which may be a legacy application for example, and to the password vault on user device(s). This can be done as a background process not visible to the user. When a user is to authenticate to the service application, the new password is retrieved from the vault. New passwords may be pushed at a desired high frequency, either based on a time interval or a number of uses, which in one example might be a single use (i.e., each password is used only once).
More particularly, a method is disclosed of operating a management computer to automatically change a password used by a user to authenticate to a service application executing in a service computer system communicatively coupled to the management computer. The user has a computerized user device including a vault in which active passwords are stored, the vault being managed by a password management application executing either on the user device or on a password management server coupled to the user device.
The method includes monitoring for occurrence of an event signifying that the password is to be changed. As mentioned, the event might be passage of time, a number of uses, etc. In response to occurrence of the event, a new password is first assigned. Then a first message is generated and sent to the service computer system, the first message including the new password and an indication that the service application is to begin using the new password to authenticate the user to the service application. Concurrently, a second message is generated and sent to the password management application, the second message including the new password and an indication that the new password is to replace a current password in the vault for use in authenticating the user to the service application.
With the above process complete, the next time the user accesses the service application, the new password is automatically used for the authentication. The device-based password vault typically can auto-populate a login or other authentication page, saving the user from having to manually copy the new password into a password field. Thus, lengthy and complex passwords can be employed with no burden on the user.
The event signifying that the password is to be changed coincides with expiration of a current password, which as mentioned may be based on any of a variety of policies. To assist the management computer in monitoring for expiration, the user device or service application may inform the management computer when a new password has been used for authentication. In the case of a one-time-use regime, for example, that notification would trigger generation and sending of a next new password.
One advantage of the disclosed technique is the ability to create and maintain short-lived or “ephemeral” passwords, which are much less risky than the more static passwords used today for legacy applications that do not support federation, OTP authentication, or other schemes requiring application integration. An organization or enterprise can enforce password policy both for internal and external applications, and have less exposure to password phishing or other password stealing attacks. The disclosed approach is generally better than user-driven password management, because it supports strong passwords and frequent changing of passwords. Even if a user employs a conventional vault solution, there is still the problem of relatively infrequent changing of passwords. So the disclosed technique is better by virtue of the automated generation and use of new passwords at a desired high frequency, even to the logical extreme of one-time use.
The foregoing and other objects, features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views.
Specifically as described above, the service application 14 may be a legacy application employing its own password-based user authentication rather than participating in a more integrated “federation” scheme, e.g., Kerberos or other token-based authentication regime, that may be used in an enterprise. Such federations provide the desired robustness with respect to passwords (i.e., tokens) used throughout the system. The service application 14 may be deployed in a system completely lacking any such integrated authentication scheme, or it may be part of a system that includes such a scheme but the service application 14 does not participate, for technical or business reasons for example.
As shown, the identity management system 12 communicates with either the user device 10 or password management server 18 via a vault application programming interface (API) 20. The vault API 20 enables external management of the contents of the PW vault and of the operation of the PW manager on the user device 10. In an embodiment including the password management server 18, the vault API 20 is provided by the Password management server 18, which communicates separately with the user device 10. Alternatively, the user device 10 may provide the vault API 20 for use by the identity management system 12 in directly communicating with the user device 10.
While
The process begins within the identity management system 12, which is responsible for higher-level control in accordance with an established password management policy. An example is used which assumes a policy of one-time use for passwords. Other policies may of course be employed, including for example time-based expiration of passwords or event-based expiration with identification of the triggering events. Policies may also incorporate different bases, e.g., both time-based and event-based. Additionally of course, the process may be initiated by a security event, such as discovery that a password may have been compromised.
Thus it is assumed that at some time the identify management system 12 is to assign a new password for authenticating the user (using the user device 10) to the service application 14. The identity management system 12 may auto-generate the new password or perhaps obtain it in some other manner. It then initiates the following process, numbered to correspond to the depiction in
1. The identity management system 12 provides the new password to the active directory 16 to be used by the service application 14 in new authentications of the user.
2. The identity management system 12 provides the new password to the user device 10 using the vault API 20. That is, the new password is stored in the password vault on the user device 10 in association with an identification of the service application 14, for use in authenticating the user thereto.
3. The user at some later time accesses the service application 14 and uses the new password from the vault in the login or other authentication process. As known in the art, the password manager on the user device may auto-populate the password field of a login page with a password it retrieves from the vault, saving the need for the user to interrogate the vault and then manually enter the password.
4. As part of the user authentication process, the service application passes the password that was supplied by the user in step 3 to the directory 16, which compares the supplied password with the password that is stored in the directory 16. Access is then granted or denied based on the result of the authentication, in the usual manner.
5. The user device 10 notifies the identity management system 12 that the new password has been used. Assuming a policy of one-time use, the identity management system then repeats steps 1 and 2 for a next new password that will be required for the next user login. These operations may be done immediately or scheduled in some manner.
In one variation, the notification (step 5) of use of the new password may be sent by the service application 14 or directory service, i.e., active directory 16, rather than by the user device 10. In an embodiment employing a time-based password policy, the notification at step 5 may be unnecessary and thus dispensed with. In an embodiment employing the Password management server 18, step 2 may include sub-steps for the identity management system 12 invoking the Password management server 18 and then the Password management server 18 communicating with the user device 10.
At 42, the identity management system 12 provides or “pushes” the new password to both the service application (or its active directory, as described above) and to the vault on the user device 10, which may be done via a separate password management server 18. This operation includes sending one or more messages to both the service application 14 and the user device 10 (either directly or via the password management server 18), with contents including the new password as well as an identification of the user and the service application 14 for which the new password is being provided.
At 44, the identity management system 12 expires the new password according to a policy that is in place, at which time the process of
Regarding the notification at 56, there may be different conditions applied to whether and how the notification is sent, specifically depending on whether the authentication fails. If the authentication fails, it is an indication that a fraudster may be involved and thus the operation may be modified to reduce security risk. For example, it may be desirable to refrain from sending the normal notification, and in some cases the normal notification may be replaced by a notification of the unsuccessful authentication. This type of notification can enable the identity management system to take other protective action, which might include flagging this user's account as having heightened security risk for example.
While various embodiments of the invention have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Friedman, Lawrence N., Kronrod, Boris
Patent | Priority | Assignee | Title |
10341316, | Jun 18 2015 | Avast Software s.r.o. | Injecting credentials into web browser requests |
10346607, | Oct 27 2014 | Amazon Technologies, Inc. | Automatic rotation and storage of security credentials |
10491588, | Mar 23 2017 | Local and remote access apparatus and system for password storage and management | |
10523425, | Jun 22 2017 | SALESFORCE, INC | Database password changes |
10931667, | Jan 17 2018 | Method and system for performing user authentication | |
11023573, | Apr 20 2018 | Microsoft Technology Licensing, LLC | Password reset for multi-domain environment |
11115403, | Feb 21 2017 | Multi-level user device authentication system for internet of things (IOT) | |
11301549, | Apr 28 2020 | JPMORGAN CHASE BANK, N.A.; JPMORGAN CHASE BANK, N A | Method for performing password transitions |
11546324, | Feb 05 2020 | Amazon Technologies, Inc. | Single use execution environment with scoped credentials for on-demand code execution |
11736475, | Jan 17 2018 | Method and system for performing user authentication | |
11740729, | Mar 25 2021 | Microsoft Technology Licensing, LLC | Assigning device identifiers by host identifier availability |
12164623, | Apr 20 2018 | Microsoft Technology Licensing, LLC | Password reset for multi-domain environment |
ER8159, |
Patent | Priority | Assignee | Title |
5944824, | Apr 30 1997 | Verizon Patent and Licensing Inc | System and method for single sign-on to a plurality of network elements |
6704873, | |||
8127345, | Jun 11 1997 | Prism Technologies LLC | Method and system for managing access to protected computer resources provided via an internet protocol network |
8707409, | Aug 22 2006 | InterDigital Technology Corporation | Method and apparatus for providing trusted single sign-on access to applications and internet-based services |
8819768, | May 03 2011 | CA, INC | Split password vault |
9081973, | Apr 23 2010 | Psion Teklogix Inc | Restricting user access on shared computer |
9544314, | Jun 11 1997 | Prism Technologies LLC | Method for managing access to protected computer resources |
20050114673, | |||
20050153682, | |||
20060080419, | |||
20060080545, | |||
20080077809, | |||
20080104411, | |||
20110047606, | |||
20110154459, | |||
20130014236, | |||
20140298432, | |||
20150135305, | |||
20150222604, | |||
20150244706, | |||
20150286816, | |||
20150310188, | |||
20150341357, | |||
20160070903, | |||
20170041296, | |||
20170142076, | |||
20170163689, | |||
20170185787, | |||
20170201550, | |||
20170222995, | |||
20170366580, | |||
20180075231, |
Date | Maintenance Fee Events |
May 19 2022 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Date | Maintenance Schedule |
Dec 04 2021 | 4 years fee payment window open |
Jun 04 2022 | 6 months grace period start (w surcharge) |
Dec 04 2022 | patent expiry (for year 4) |
Dec 04 2024 | 2 years to revive unintentionally abandoned end. (for year 4) |
Dec 04 2025 | 8 years fee payment window open |
Jun 04 2026 | 6 months grace period start (w surcharge) |
Dec 04 2026 | patent expiry (for year 8) |
Dec 04 2028 | 2 years to revive unintentionally abandoned end. (for year 8) |
Dec 04 2029 | 12 years fee payment window open |
Jun 04 2030 | 6 months grace period start (w surcharge) |
Dec 04 2030 | patent expiry (for year 12) |
Dec 04 2032 | 2 years to revive unintentionally abandoned end. (for year 12) |